High-profile data breaches put retailers in public crosshairs

What exactly happened at Target has been the focus of much media scrutiny. On the chain’s website, it tells customers that in mid-December 2013, the company “learned criminals forced their way into our system, gaining access to guest credit and debit card information.”

Delving further into the subject, Brian Krebbs, a former Washington Post reporter and security blogger based in Merrifield, Va., has cited sources that point to a thirdparty heating, ventilation and air conditioning (HVAC) company that had access to Target’s systems. Krebbs, named by several news sources as the one who initially broke the Target story, said gaining access allowed criminals to insert malware that eventually snuck into point-of-sale (POS) registers at multiple stores in Target’s chain.

Whether Krebb’s report is accurate, the inference that data thieves are resourceful and opportunistic is evident.

And Target may just be today’s poster child for data breaches, according to Gray Taylor, executive director of the Petroleum Convenience Alliance for Technological Standards (PCATS), Alexandria, Va. “There may be five or six Targets” before upcoming credit-card mandates designed to update payment processes force change, he says.

Breaches the size of Target’s are not without precedent. In 2007, TJX Inc., parent of T.J. Maxx, Marshalls and Bob’s Stores, said hackers stole 45.6 million credit-card numbers. The next year,
hackers broke into computers Heartland Payment Systems used to process 100 million payment-card transactions per month for 175,000 merchants.

Last year, 7-Eleven Inc. was among more than a dozen companies hacked in what the U.S. Department of Justice called the largest such scheme ever prosecuted in the United States. A federal indictment made public last July in New Jersey charged five men with conspiring in a worldwide hacking and data-breach scheme that targeted corporate networks including that of the Dallas-based convenience chain, and stole more than 160 million credit-card numbers.

In another case, a Manhattan district attorney’s announcement cited indictments in data-breach cases at c-stores in the South and Southeast. At least two other publicly reported incidents involving c-stores have arisen in the past year.

Lawmakers Step In

Recent months have seen a line of representatives from retail channels to associations to financial institutions parade before U.S. House and Senate committees to discuss the matter.

In March, the PCI Security Standards Council, a forum created by the major credit-card companies to voice its standards, testified before the House Financial Services subcommittee on “Financial Institutions and Consumer Credit” about its PCI (payment card industry) standards.

Still, EMV is the next set of mandated upgrades coming down the pike for retailers, which for them means upgrades for plastic cards affixed with chip-and-PIN (personal identification number) technology. Adopted widely in Europe and Canada, EMV adds another level of data security to the transaction. For POS devices, the PCI deadline for upgrades is October 2015, and for dispensers it’s October 2017.

But observers such as Taylor of PCATS fear that if existing mandates for EMV and many of the other suggested security measures all become requirements, costs to the retail community will be prohibitive and “put the small merchant out of business.”